Analyzing outgoing network traffic (part 2)
Last week I posted a diary about analyzing outgoing network traffic and asked our readers to comment what data sources they use when monitoring outbound connections our users establish.
Besides the sources I listed in the original diary we got quite a few comments and some good questions, so I’m combining all these in this, second, diary:
- Emerging Threats’ RBN list: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
- ET's compromised IPs list: http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt
- All abuse.ch trackers: Zeus (https://zeustracker.abuse.ch/), SpyEye (https://spyeyetracker.abuse.ch/), Palevo (https://palevotracker.abuse.ch/)
- .. or ET's list of bot C&C's which combines abuse.ch trackers and Shadowserver: http://rules.emergingthreats.net/open/suricata/rules/botcc.rules
- http://www.malwaredomainlist.com/mdl.php - a good malware domain/IP address list. There does not appear to be a list you can download, but you can update through RSS feeds they offer.
- Spamhaus' Don't Route or Peer List (DROP): http://www.spamhaus.org/drop/
- Alienvault also has a free IP reputation list available at https://reputation.alienvault.com/reputation.generic
- Shadowserver has a great list available at http://www.shadowserver.org/wiki/pmwiki.php/Services/Downloads - you have to register though and can see only information about your own networks contacting known C&C's.
These include the lists I verified in the mean time – for more check comments in the first diary.
One of our readers, Arnim, also asked about a potentially very useful list of IP addresses belonging to remote access services such as LogMeIn, NetViewer and similar. I’m not aware of such a list but it would be very useful. Emerging Threat’s has something similar – a list of outgoing ToR nodes but that only helps you figure out if someone that visited your network used ToR. The list is available at http://rules.emergingthreats.net/open/suricata/rules/tor.rules
Thanks to everyone that submitted their comments, including Christian, Ben, Arnim, Hal, Matt, Brent and many others.
--
Bojan
INFIGO IS
| Web App Penetration Testing and Ethical Hacking | Amsterdam | Mar 31st - Apr 5th 2025 |
Comments
I hope this will be helpful http://callbackdomains.wordpress.com/
Here daily i will be posting only Malware Callback Domains and IPs.
They are extracted from behaviour analysis of malware samples and filtered based on heuristics removing the legitimate domains/IPs.
Any hit to those IPs or domains is a confirmed malware infection.
You can validate them by googling the domain/IP on internet.
Uma Mahesh
Aug 30th 2012
1 decade ago
John Hardin
Aug 30th 2012
1 decade ago
http://www.malwaredomainlist.com/hostslist/hosts.txt
Rod
Aug 30th 2012
1 decade ago
sure, i will do it by next week
Uma Mahesh
Aug 31st 2012
1 decade ago
http://www.malwaredomainlist.com/forums/index.php?topic=3270.0
patermann
Aug 31st 2012
1 decade ago